Friday, August 19, 2016

Application Containers and Information Centric Security

Please consider the following quote by Grace Hopper, "Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it."As an information security manager, it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema) there is also data, including the increasingly important business record. Is the uniform approach to Defense-in-Depth appropriate when it comes to information?

Information centric, is another way to think of the defense-in-depth concept. Think of concentric rings - at the center of the diagram is your information. However, the center can be anything you value or the answer to the question, "What are you trying to protect?" Around that center you build successive layers of protection. In the diagram, the protection layers are shown as blue rings. In this example, your information is protected by your application. The application is protected by the security of the host it resides on, and so on. In order to successfully get your information, an attacker would have to penetrate through your network, your host, your application, and finally your information protection layers.

Information centric defense starts with an awareness of the value of each section of information within an organization. Identify the most valuable information and implement controls to prevent non-authorized employees from accessing it. A good starting point is to identify your organization's intellectual property, restrict it to a single section of the network, assign a single group of system administrators to it, mark the data, and thoroughly check for this level of data leaving your network.

Containers and Application containers potentially add a new "ring" of protection. According to computerworld, "Application containerization is an OS-level virtualization method for deploying and running distributed applications without launching an entire virtual machine (VM) for each app. Instead, multiple isolated systems are run on a single control host and access a single kernel.

Application containers hold components such as files, environment variables and libraries necessary to run the desired software. Because resources are shared in this way, application containers can be created that place less strain on the overall resources available.

Containers are an attractive option for developers craving for a seamless transition when they move software from one computing environment into another – from staging, testing to production."

But for all their advantages they also present new risks, according to Alderman from Tenable to mitigate, we must:
As new tools and techniques are being developed, Alderman gave some traditional approaches that companies can implement as initial steps to safeguarding their application containers:

1.         Enumerate all container images - Inventory all of your container images to understand what’s running in the environment. If a security flaw is detected in one container image, you’ll understand where these images are running for remediation activities.

2.         Secure the container host - Host vulnerabilities, exploits, and misconfigurations are now accessible across all containers. A single container exploiting the host will take down the whole host.

3.         Verify security of embedded libraries - This will prevent known vulnerabilities in embedded libraries from being deployed in container images.

4.         Limit user privileges in container images - If you’re root in the container, you’ll be root on the host. An attacker who hijacks a container will have access to the privileges of the container. Minimize root and root escalation privileges.

Wednesday, August 17, 2016

Sample Incident Response Policy

Data Breach Response Policy

Created by or for the SANS Institute.  Feel free to modify or use for your organization.  If you have a policy to contribute, please send e-mail to

1.0 Purpose
The purpose of the policy is to establish the goals and the vision for the breach response process. This policy will clearly define to whom it applies and under what circumstances, and it will include the definition of a breach, staff roles and responsibilities, standards and metrics (e.g., to enable prioritization of the incidents), as well as reporting, remediation, and feedback mechanisms. The policy shall be well publicized and made easily available to all personnel whose duties involve data privacy and security protection.

<ORGANIZATION NAME> Information Security's intentions for publishing a Data Breach Response Policy are to focus significant attention on data security and data security breaches and how <ORGANIZATION NAME>’s established culture of openness, trust and integrity should respond to such activity. <ORGANIZATION NAME> Information Security is committed to protecting <ORGANIZATION NAME>'s employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

1.1 Background
This policy mandates that any individual who suspects that a theft, breach or exposure of <ORGANIZATION NAME> Protected data or <ORGANIZATION NAME> Sensitive data has occurred must immediately provide a description of what occurred via e-mail to Helpdesk@<ORGANIZATION NAME>.org, by calling 555-1212, or through the use of the help desk reporting web page at http://<ORGANIZATION NAME>. This e-mail address, phone number, and web page are monitored by the <ORGANIZATION NAME>’s Information Security Administrator. This team will investigate all reported thefts, data breaches and exposures to confirm if a theft, breach or exposure has occurred. If a theft, breach or exposure has occurred, the Information Security Administrator will follow the appropriate procedure in place.

2.0 Scope
This policy applies to all whom collect, access, maintain, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle personally identifiable information or Protected Health Information (PHI) of <ORGANIZATION NAME> members. Any agreements with vendors will contain language similar that protects the fund.
3.0 Policy Confirmed theft, data breach or exposure of <ORGANIZATION NAME> Protected data or <ORGANIZATION NAME> Sensitive data

As soon as a theft, data breach or exposure containing <ORGANIZATION NAME> Protected data or <ORGANIZATION NAME> Sensitive data is identified, the process of removing all access to that resource will begin.

The Executive Director will chair an incident response team to handle the breach or exposure.

The team will include members from:
          IT Infrastructure
          IT Applications
          Finance (if applicable)
          Member Services (if Member data is affected)
          Human Resources
          The affected unit or department that uses the involved system or output or whose data may have been breached or exposed
          Additional departments based on the data type involved, Additional individuals as deemed necessary by the Executive Director

Confirmed theft, breach or exposure of <ORGANIZATION NAME> data

The Executive Director will be notified of the theft, breach or exposure. IT, along with the designated forensic team, will analyze the breach or exposure to determine the root cause.

Work with Forensic Investigators

As provided by <ORGANIZATION NAME> cyber insurance, the insurer will need to provide access to forensic investigators and experts that will determine how the breach or exposure occurred; the types of data involved; the number of internal/external individuals and/or organizations impacted; and analyze the breach or exposure to determine the root cause. 

Develop a communication plan.

Work with <ORGANIZATION NAME> communications, legal and human resource departments to decide how to communicate the breach to: a) internal employees, b) the public, and c) those directly affected.

3.2 Ownership and Responsibilities
Roles & Responsibilities:

          Sponsors - Sponsors are those members of the <ORGANIZATION NAME> community that have primary responsibility for maintaining any particular information resource. Sponsors may be designated by any <ORGANIZATION NAME> Executive in connection with their administrative responsibilities, or by the actual sponsorship, collection, development, or storage of information.
          Information Security Administrator is that member of the <ORGANIZATION NAME> community, designated by the Executive Director or the Director, Information Technology (IT) Infrastructure, who provides administrative support for the implementation, oversight and coordination of security procedures and systems with respect to specific information resources in consultation with the relevant Sponsors.
          Users include virtually all members of the <ORGANIZATION NAME> community to the extent they have authorized access to information resources, and may include staff, trustees, contractors, consultants, interns, temporary employees and volunteers.
          The Incident Response Team shall be chaired by Executive Management and shall include, but will not be limited to, the following departments or their representatives: IT-Infrastructure, IT-Application Security; Communications; Legal; Management; Financial Services, Member Services; Human Resources.

4.0 Enforcement
Any < ORGANIZATION NAME > personnel found in violation of this policy may be subject to disciplinary action, up to and including termination of employment. Any third party partner company found in violation may have their network connection terminated.
5.0 Definitions
Encryption or encrypted data – The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text;
Plain text – Unencrypted data.
Hacker – A slang term for a computer enthusiast, i.e., a person who enjoys learning programming languages and computer systems and can often be considered an expert on the subject(s).
Protected Health Information (PHI) - Under US law is any information about health status, provision of health care, or payment for health care that is created or collected by a "Covered Entity" (or a Business Associate of a Covered Entity), and can be linked to a specific individual.
Personally Identifiable Information (PII) - Any data that could potentially identify a specific individual. Any information that can be used to distinguish one person from another and can be used for de-anonymizing anonymous data can be considered
Protected data - See PII and PHI
Information Resource - The data and information assets of an organization, department or unit.
Safeguards - Countermeasures, controls put in place to avoid, detect, counteract, or minimize security risks to physical property, information, computer systems, or other assets. Safeguards help to reduce the risk of damage or loss by stopping, deterring, or slowing down an attack against an asset.
Sensitive data - Data that is encrypted or in plain text and contains PII or PHI data.  See PII and PHI above.

6.0 Revision History
Date of Revision
Description of Changes
August 17, 2016
Stephen Northcutt
Initial version

Additional study questions for second half of day 2 MGT 512

NOTE: The study questions seemed a bit sparse for today’s session, so I created a few more. Please note that I do not have the books, so I worked directly from the slides. This will probably be off from your books, but gives you a pretty good idea where to look.

What is a next generation firewall? Slide 127

What is the primary advantage to egress filtering? Slide 131

Data analysts have a consistent basis for traffic analysis and rule generation because of      _________________ that converts input into a format the signature rules expect to see .
 Slide 141

Which costs more to operate, IDS or IPS and why? Slide 147

What is the difference between Type  1 and Type 2 Virtualization? Slide 158

Why has Antivirus reached a limit? Slide 168

Name a technical control we can use in configuration management?  __________________ Slide 175

How does RAID 5 try to prevent data loss due to disk physical problems? Slide 196

Of C I A, which is probably most important for a bank or financial institution? Slide 204

Name as many architectural approaches to Defense in Depth as possible? Slide 234

Why should we be cautious about using the word “will” in security policy? Slide255

Thursday, August 11, 2016

Privilege Management Reading List

An Introduction to Identity Management - Spencer C. Lee

The underlying problem is the absence of federated directories.  Microsoft
defines federation as “the technology and business arrangements necessary for
the interconnecting of users, applications, and systems. This includes
authentication, distributed processing and storage, data sharing, and more.”

Federated directories interact and trust each other, thus allowing secure information sharing between applications.  Companies are currently running isolated, independent directories that neither interact with nor trust each other.

NOTE: This was a great paper and ahead of its time, but needs to be updated.
= = =
Improving Application and Privilege Management: Critical Security Controls Update by John Pescatore.

The biggest barrier to enabling application control and privilege management has been
fear of self-inflicted wounds: causing business disruption or huge increases in help desk
calls as legitimate software and business-critical access are blocked. But products and
techniques have improved over the past few years, and today you can find many success
stories that show what works in enabling application control and privilege management
with minimal or no interference to business operations.

This whitepaper describes the recent update to Version 6.0 of the CIS Critical Controls,
with a focus on application control and privilege management as high-payback, quick
wins—when done right

= = =
Keys to the Kingdom: Monitoring Privileged User Actions for Security and Compliance - David Shackleford

According to CERT, mechanisms to prevent privileged insider abuse should include the following:
•   Enforce separation of duties and least privilege. Separation of duties implies that
no one employee can perform all privileged actions for a system or application. Least
privilege implies that employees are granted only the bare minimum privileges
needed to perform their jobs.

•   Implement strict password and account-management policies and practices.
This should be enforced for all users, including administrators and other privileged

•   Log, monitor, and audit employee online actions.Organizations need to be vigilant about what actions privileged users are taking, and should use a variety of logging and monitoring techniques.

•   Use extra caution with system administrators and privileged users. Because these
users are often granted the “keys to the kingdom” in terms of access and capabilities,
additional safeguards often need to be implemented to adequately monitor and man-
age their behavior
= = =
Implementing Least Privilege in an SMB - Tim Ashford

This paper is focused on the problem of managing privilege in the Windows environment.

Note: This paper is a candidate to be updated as an Analyst paper
= = =

Implementing Least Privilege at your Enterprise - Jeff Langford

This is an introduction to the Saltzer and Schroder design principles.
= = =
Security Controls in Service Management - K  V  Warren

This paper is a crosswalk between ISO 27000 and the Critical Controls. Where possible, use access control configuration templates which are in compliance with organization's policies. User and group templates are used grant minimum access rights and privileges needed for the user to perform his/her job.  Policy elements include: (expiry, lifetime, minimum length, complexity, difficulty, lockout after X failed attempts, etc).

NOTE: this paper is a bit dated, but could be a topic for a future Analyst program paper.
= = =
Privileged Password Sharing: "root" of All Evil - J. Michael Butler

Privileged accounts are difficult to manage in any enterprise running multiple distributed operating systems and versions of those systems.  The more disparate the systems, the larger the problem. Take, for example, an environment that has HP UX, Red Hat Linux, IBM AIX, mainframes, Active Directory, Windows 2003 Server, Windows 2008 Server, and a few other odds and ends.  How can one administrator provision and keep track of every privileged user on every system?  For that matter, how can a team of administrators control who is doing what, on which server, and to what end?
= = =

Increasing Security and Reducing Costs by Managing Administrator Rights with Process-based Privilege Management with Viewfinity - A What Works Paper

What caused you to look for a solution like Viewfinity?

 In our Windows XP environment, we had a custom written tool that gave users 24
hour administrative rights to their machines. Going into Windows 7, we knew that tool
wasn’t compatible with Windows 7. About 1,000 of our 6,000 end users had local
administrative rights on their PCs and it had gotten out of hand. We had three different
models for the XP environment: regular users who were given complete local admin
rights, users with extra accounts without Internet access who had local admin rights and
users utilizing the custom written tool for temporary access. Going into Windows 7, we
had to come up with a solution to handle administrative rights and that’s what set us down the path of looking at the different tools and options out there.
NOTE: this paper is a bit dated, any updates on Viewfinity/CyberArk? Any real world stories of PAM tools helping with update to Win 10?
= = =

Wednesday, August 10, 2016

Continuous Monitoring Survey

Part of being a member of the cybersecurity community is helping out with research efforts to identify trends in information security. If you are involved in continuous monitoring please complete this survey.

Continuous Monitoring for vulnerabilities and exposures is providing benefits for 40% of those who took the SANS 2015 survey on continuous monitoring.   Yet, with only 6% scanning for vulnerabilities daily (as recommended by the Critical Security Controls and other important guidelines), there is plenty of room for improvement. (Link to 2015 survey:

In this new survey, publishing November 15, 2016 during a 1 PM ET webcast (, SANS will uncover what improvements organizations have made in their programs since our last survey, along with what practices and tools are making the most positive impact. For example:

  • Have they assessed more of their critical assets that need scanning? (In 2015, the majority had identified only 50% of their critical assets.)
  • Once they’ve identified critical vulnerabilities, can they repair them faster than the 2-3 weeks that the majority of respondents indicated they needed in 2015? If so, how?
  • Are their CM programs improving organizations’ visibility into existing, known assets as well as new assets coming online?
  • Have they achieved more integration and workflow management for the asset lifecycle, which was top of their wish list in last year’s survey? If so, how?

Tuesday, August 9, 2016

Vector of Attack - Unwanted Software

One of the atomic forms of defense in depth is threat vector analysis. Figure out how the bad man can get to us and move to cut that "path" off. According to: The Stack:

In a year-long study in conjunction with New York University, researchers at Google found that unwanted software unwittingly downloaded as part of a bundle to be a larger problem for users than malware. Google Safe Browsing currently generates three times as many Unwanted Software (UwS) warnings than malware warnings, over 60 million per week.

The study found that the pay-per-install (PPI) scheme, whereby a company succeeds in monetizing end user access by paying $0.10 to $1.50 every time their software in installed on a new device, to be the primary source of unwanted software proliferation. To get a payout from a commercial PPI organization, companies bundle regular software with unwanted software, which is then unwittingly downloaded by the user.

Types of unwanted software (UwS, pronounced ‘ooze’) fall into five categories: ad injectors, browser settings hijackers, system utilities, anti-virus, and major brands. While estimates of UwS installs are still emerging, studies suggest that ad injection affects 5% of browsers, and that deceptive extensions in the Chrome Web store affect over 50 million users. 59% of the bundles studied were flagged by at least one anti-virus engine as potentially unwanted.

The full report is at:

According to the study:
Estimates  of  the  incident  rate  of unwanted software installs on desktop systems are just emerging: prior studies suggest that ad injection affects as many as 5% of browsers and that deceptive extensions escaping detection in the Chrome Web Store affect over 50 million users.

Note on Opera from the study:
Based on the affiliate codes embedded in the download URLs for Opera, it appears that Opera directly interacts with PPI operators to purchase installs rather than relying on intermediate affiliates.
Look for connections to